[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [OT] Tripwire passphrase

On Tue, 2004-12-14 at 09:42, Aleksandar Milivojevic wrote:
> Scot L. Harris wrote:
> > It's not that bad.  Remember the passphrase is not used as a password,
> > it is a key that is used to sign the database, config,  and policy
> > files.  It does not take that much effort to initialize the database or
> > sign the config and policy files when you want to change the keys.  
> I tought that passphrase was used to protect the key, not as a key?
I probably did a horribly job trying to explain that.  The passphrase
does protect the key but as I understand it it is not like a standard
password that is kept in a separate file somewhere.  I also believe it
is in effect incorporated in the key itself.  Could be wrong about that.

> > Probably the hardest thing about using tripwire is getting the policy
> > setup correctly the first time.  The default policy is pretty bad since
> > it usually includes many files that are not installed on a typical
> > system and the rules in place for the root account and for log files
> > require much adjustment.  
> I second that.  The default RedHat policy file was horrible.  Instead of 
> checking for everything in /bin, /sbin, /etc and other important places 
> (and having exceptions for few "special" files to keep noise low), it 
> had lists of files to check.  It generated tons of errors if you didn't 
> had full distro installed, and it had gaping holes in files it hasn't 
> checked (not to mention it was unable to detect addition of files).

Yup, same that I found here.  Getting the right options for the various
log files seemed to take me the most time.  I have gotten pretty good at
editing the policy file after the first run of tripwire removing rules
that don't apply since I don't have many of the packages the default
policy file is looking for.  I also suspect that very little work has
gone into crafting the default policy, has not seemed to change in the
last several releases.

> If tripwire gets included into the distro again (and it should, there is 
> still no good replacement for it), that default policy file should be 
> built from the scratch.

I agree, tripwire should be included.  AIDE does not seem to be a valid
option yet.  Once you get it set up tripwire requires minimal care and
feeding.  But getting it setup correctly is the hard part.  I also use a
filter in email that helps flag a violation so I know when something has
changed without having to read each tripwire report.  At one time I had
it setup in Big Brother as well so there was a visual alert.

Scot L. Harris
webid cfl rr com

YOW!!  Up ahead!  It's a DONUT HUT!! 

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]